On Tue, 04 Oct 2005, Marco d'Itri wrote:
> On Oct 04, Henrique de Moraes Holschuh <hmh@debian.org> wrote:
> > (2) and (3) above are a hideous race that needs to be fixed. It probably
> Right: use udev.
Good.
> > could be used to gain limited, but still unauthorized access to mass-storage
> > devices for example (I didn't test).
> How?
1. Wait for user to hotplug USB device
2. Maybe slow down the system to a crawl, easily done in most systems
because almost no one uses CPU limits. This widens the window quite a lot
because hotplug crawls and eats CPU like a Tron 2.0 resource hog. Since as
things are we have about a 0.5s window in a reasonably fast machine, this
pass is quite optional and probably not needed.
3. Open raw device file for reading, it is unprotected at this time
4. Do whatever you want with it, it doesn't matter that hotplug will sooner
or later chown/chmod it. You already have a valid filehandle.
There are some difficulties on implementing this, but it is hardly
impossible. Still, the current racy setup is so hideous, it should be fixed
on principle alone...
> > In that case, the fix would probably be to get rid of usbfs completely... as
> Done: 2.6.14 will provide /dev/bus/usb/ devices which can be managed
> with udev.
It will be done when we deploy it on Debian and remove the buggy crap we
have right now/apply a workaround for those not using udev/2.6.14.
Are the current udev/hotplug config/agents dealing with USB devices
comprehensive enough that just changing the usbfs mounting to root-only by
default would simply work?
--
"One disk to rule them all, One disk to find them. One disk to bring
them all and in the darkness grind them. In the Land of Redmond
where the shadows lie." -- The Silicon Valley Tarot
Henrique Holschuh